Snooping Dragon opens a new chapter in social malware

The Office of His Holiness the Dalai Lama has fallen victim to a cyber attack, but two computer security experts say it could have happened to anyone. Indeed, "social malware" attacks are easy to mount but very difficult to defend against.

Snooping Dragon opens a new chapter in social malware

The Office of His Holiness the Dalai Lama has fallen victim to a cyber attack, but two computer security experts say it could have happened to anyone. Indeed, "social malware" attacks are easy to mount but very difficult to defend against.

Sunday 29 March 2009 18.03 EDT
First published on Sunday 29 March 2009 18.03 EDT

Two computer scientists investigating the penetration of computer systems run by the Office of His Holiness the Dalai Lama (OHHDL) have concluded that the "combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective. Few organisations outside the defence and intelligence sector could withstand such an attack."

Shishir Nagaraja from the University of Illinois at Urbana-Champaign and Ross Anderson from the Cambridge University Computer Laboratory helped the OHHDL with a forensic investigation of the penetration described in Tracking Ghostnet: Investigating a Cyber Espionage Network, published in Information Warfare Monitor. The first author visited the OHHDL's office in Dharamsala. Their report, The snooping dragon: social-malware surveillance of the Tibetan movement, is now available online.The method turned out to be simple. The attackers wrote emails that appeared to come from fellow Tibetans or even co-workers, and added malware attachments that enabled them to log keystrokes and access the infected PCs remotely. The report says: "We assume that one monk clicked on an infected attachment, giving the attackers their first foothold." However, the authors noted that the monks were sending emails as plain text, instead of encrypting them, and that some used passwords that could be cracked in 15 minutes.

Also, "although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual."

In the past, attackers might have needed technical skills to create their code, but today, the malware industry works on a commercial basis. People who want it can buy it.

Although this type of malware is most common for Microsoft Windows, which we assume the OHHDL was using, it can be created for any operating system.

The larger problem is that "the 'best practice' advice that one sees in the corporate sector comes nowhere even close to preventing such an attack," say the authors. They believe that the OHHDL staff "were probably more aware of the Chinese threat and as a result more alert than a typical company security team," and that "the Tibetans' performance has been more effective than we would have expected from a randomly-chosen Western organisation."

In sum, a typical western company could be hacked just as easily, but might be less likely to notice that its systems had been compromised.

In this case, the Chinese attackers made a fundamental mistake. The report says the monks "sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat's office was contacted by the Chinese government and warned not to go ahead with the meeting."

This alerted the OHHDL staff to the possibility of a security leak, which they then had investigated by experts.

Key defences against social malware include controlling information flows and making sure sensitive data are never held on internet-connected computers, but stored on ones that don't have email or browsers installed. But operating with increased levels of security has its drawbacks. The report says:

"In fact, neither of the two authors is confident that we could keep secrets on a network-connected machine that we used for our daily work in the face of determined interest from a capable motivated opponent. The necessary restrictions on online activity would not be consistent with effective academic work."